CVE-2017-1732 — Sensitive Information Exposure in IBM Security Access Manager FOR Enterprise Single Sign-on

CWE-200 — Sensitive Information Exposure3 documents3 sources

Severity

5.3MEDIUMNVD

CNA4.3

EPSS

0.1%

top 65.77%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

IBM Security Access Manager FOR Enterprise Single Sign-on

Timeline

PublishedAug 17

Latest updateMay 13

Description

IBM Security Access Manager for Enterprise Single Sign-On 8.2.2 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic. IBM X-Force ID: 134913.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages2 packages

▶CVEListV5ibm/security_access_manager_for_enterprise_single_sign-on8.2.2

▶NVDibm/security_access_manager8.2.2

Patches

Patch: www.ibm.com ↗Patch: www.ibm.com ↗

🔴Vulnerability Details

GHSA

GHSA-p3mp-9p7p-4p9j: IBM Security Access Manager for Enterprise Single Sign-On 8↗2022-05-13

▶

CVEList

CVE-2017-1732: IBM Security Access Manager for Enterprise Single Sign-On 8↗2018-08-17

▶